In March 2024, a finance director at a mid-size manufacturer in Ohio received an email from what appeared to be the company CEO. The message asked for an urgent wire transfer to close a confidential acquisition. The email looked flawless — correct logo, matching font, even a convincing signature block. She sent $1.2 million to an account in Hong Kong. It was gone in 90 minutes. Knowing how to spot phishing emails would have stopped that wire before it ever left the bank.

Phishing remains the single most common attack vector used against organizations and individuals. According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting accounted for over 73% of all social engineering incidents. That isn't a trend. It's a fixture. And in my experience, most people still can't reliably tell the difference between a legitimate email and one designed to steal their credentials.

This post will walk you through the exact red flags, the psychology behind the attacks, and the practical steps that actually reduce risk. No vague advice. No theory without context.

Why Phishing Emails Still Work in 2026

You'd think after years of headlines about data breaches and ransomware, people would stop clicking. They don't. And that's not because they're careless — it's because threat actors have gotten surgically precise.

Modern phishing campaigns use scraped LinkedIn data, compromised vendor accounts, and AI-generated text to craft messages that feel personal and urgent. The old "Nigerian prince" template is dead. What replaced it looks like a Slack notification, a Microsoft 365 password reset, or a voicemail transcript from your HR department.

I've reviewed phishing simulations across dozens of organizations. Even after baseline training, click rates on well-crafted phishing emails still hover between 10-15% on first exposure. That's enough to compromise an entire network.

The 8 Red Flags: How to Spot Phishing Emails Every Time

Here's the practical framework I teach in every phishing awareness training program I run. Memorize these. Print them. Tape them next to your monitor.

1. Urgency That Feels Like a Threat

Phishing emails almost always create artificial time pressure. "Your account will be locked in 24 hours." "Respond immediately or face disciplinary action." "This invoice is past due — final notice."

Legitimate companies rarely threaten you via email with hard deadlines measured in hours. When you feel your pulse quicken, that's the social engineering working. Pause. Verify through a separate channel.

2. Sender Address Doesn't Match the Brand

This is the single most reliable tell. Hover over the sender name (don't click) and look at the actual email address. You'll see things like [email protected] or [email protected].

A real Microsoft email comes from @microsoft.com. A real Amazon email comes from @amazon.com. Any deviation — extra words, misspellings, different domains — is a red flag.

3. Generic Greetings

"Dear Customer," "Dear User," or "Dear Account Holder" instead of your actual name. Your bank knows your name. Your employer knows your name. A threat actor who scraped a million email addresses from a breach doesn't.

Hover over every link before you click it. On desktop, you'll see the actual URL in the bottom-left corner of your browser or email client. On mobile, long-press the link to preview it.

Look for misspelled domains, extra subdomains (like login.microsoft.com.evil-site.net), and URL shorteners. If the link doesn't go exactly where you'd expect, don't click it.

5. Unexpected Attachments

You didn't request an invoice. You aren't waiting for a shipping label. So why is there a .zip, .docm, or .html file attached to this email? Malicious attachments remain a primary delivery method for ransomware and credential-stealing malware.

If you weren't expecting it, don't open it. Call the sender directly to confirm — using a phone number you find independently, not one from the email.

6. Requests for Credentials or Personal Data

No legitimate company will ask you to reply to an email with your password, Social Security number, or banking information. Ever. If the email asks you to "verify" or "confirm" sensitive data, it's phishing.

7. Grammar and Formatting Inconsistencies

While AI has dramatically improved the quality of phishing copy, many campaigns still contain subtle errors. Look for inconsistent fonts, slightly off-brand colors, awkward phrasing, or British English in an email supposedly from an American company.

These are less reliable than they used to be, but still worth noting — especially in high-volume, lower-sophistication campaigns.

8. Too-Good-to-Be-True Offers

Gift cards, tax refunds, lottery winnings, job offers you never applied for. These emotional hooks bypass your critical thinking. If something sounds too generous for an unsolicited email, it's bait.

What Does a Phishing Email Look Like? A Quick-Reference Answer

A phishing email typically impersonates a trusted brand, colleague, or authority figure. It creates urgency, contains a suspicious link or attachment, and asks you to take immediate action — such as clicking a link to "verify" your account or opening a file to "review" a document. The sender address often doesn't match the legitimate domain, and the message may use generic greetings instead of your real name. Spotting these patterns is the core skill in how to spot phishing emails reliably.

Business Email Compromise: Phishing's Expensive Cousin

The Ohio wire fraud I mentioned at the top? That's a textbook Business Email Compromise (BEC) attack. The FBI's Internet Crime Complaint Center (IC3) has consistently ranked BEC as the most financially damaging cybercrime category. Their annual reports show BEC losses in the billions of dollars across reported incidents.

BEC attacks don't always use malware. They use trust. The attacker compromises or spoofs an executive's email account and instructs an employee to transfer funds, change payment details, or share sensitive documents.

The defense is procedural, not just technical. Require out-of-band verification for any financial request over a set threshold. Call the person directly. Use a verified phone number. This one policy can save your organization millions.

Why Your Spam Filter Isn't Enough

I hear this constantly: "We have email security, so we're covered." You're not.

Modern email security platforms — even good ones — operate on pattern recognition and known threat signatures. Sophisticated phishing campaigns use fresh domains, clean IPs, and novel payloads to slip through. CISA has repeatedly warned that technical controls alone cannot stop socially engineered attacks.

Your spam filter is one layer. Your people are another. Both layers have to work. A zero trust approach to email means you verify everything — regardless of whether it made it past the filter. If it's in your inbox, that doesn't mean it's safe.

Phishing Simulations: Testing What Your Team Actually Does

Reading about red flags is one thing. Applying them at 4:47 PM on a Friday when you're rushing to close out the week? That's entirely different.

Phishing simulations send realistic, controlled phishing emails to your employees and measure who clicks, who reports, and who enters credentials. They're the closest thing to a fire drill for your inbox.

In my experience running these programs, organizations that conduct monthly simulations paired with cybersecurity awareness training see click rates drop from 15-20% to under 5% within six months. That's not a marginal improvement — that's the difference between a breach and a near-miss.

What Good Simulations Include

  • Scenarios modeled on real, current phishing campaigns (fake MFA prompts, spoofed internal IT requests, fake delivery notifications)
  • Immediate feedback when an employee clicks — not punishment, but a short explanation of what they missed
  • Tracking over time to identify repeat clickers who need additional coaching
  • Escalating difficulty as your team's baseline performance improves

Multi-Factor Authentication: Your Safety Net When Someone Clicks

Even with the best training, someone will eventually click a phishing link. That's not cynicism — it's probability. Multi-factor authentication (MFA) ensures that a stolen password alone isn't enough to compromise an account.

Phishing-resistant MFA — like hardware security keys (FIDO2/WebAuthn) — is the gold standard. SMS-based MFA is better than nothing but vulnerable to SIM-swapping and real-time phishing proxies. Push notification MFA can be defeated by "MFA fatigue" attacks where the attacker bombards the victim with approve/deny prompts until they tap "approve" out of frustration.

If you're still relying solely on passwords, you're making the threat actor's job trivially easy.

Building a Report-First Culture

Here's what separates good security programs from great ones: employees who report suspicious emails without hesitation.

Most organizations punish or embarrass employees who fall for phishing simulations. That's counterproductive. It teaches people to hide mistakes, not report them. One unreported phishing email that leads to credential theft can give an attacker a foothold that persists for months.

Instead, reward reporting. Make it easy — a one-click "Report Phish" button in the email client. Acknowledge every report. Share anonymized stats showing how many phishing emails the team caught this month. Turn security awareness into a team sport, not a blame game.

A Practical Checklist You Can Use Right Now

Before you interact with any email that asks you to take action, run through this mental checklist:

  • Sender: Does the email address exactly match the legitimate domain?
  • Urgency: Is the email pressuring me to act immediately?
  • Links: Do the URLs go where I'd expect when I hover?
  • Attachments: Was I expecting this file?
  • Request: Is this email asking for credentials, payment changes, or personal data?
  • Greeting: Does it use my actual name or a generic placeholder?
  • Verification: Can I confirm this request through a separate, trusted channel?

If even one item raises a flag, don't click. Don't reply. Report it to your security team and verify independently.

Your Organization's Next Step

Knowing how to spot phishing emails is a skill — and like any skill, it atrophies without practice. One-time training decks don't change behavior. Ongoing simulations, reinforced by practical education, do.

If your team hasn't run a phishing simulation in the last 90 days, you're overdue. If your security awareness training consists of an annual slide deck, you're leaving your organization exposed. Start with a structured phishing awareness training program and pair it with a comprehensive cybersecurity awareness training curriculum that covers social engineering, credential theft, ransomware, and more.

The threat actors aren't slowing down. Your training shouldn't either.